|
|
|
@ -622,183 +622,31 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
super(CertificateSigningRequestCryptography, self).__init__(module)
|
|
|
|
|
self.cryptography_backend = cryptography.hazmat.backends.default_backend()
|
|
|
|
|
|
|
|
|
|
def _get_name_oid(self, id):
|
|
|
|
|
if id in ('CN', 'commonName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.COMMON_NAME
|
|
|
|
|
if id in ('C', 'countryName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.COUNTRY_NAME
|
|
|
|
|
if id in ('L', 'localityName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.LOCALITY_NAME
|
|
|
|
|
if id in ('ST', 'stateOrProvinceName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.STATE_OR_PROVINCE_NAME
|
|
|
|
|
if id in ('street', 'streetAddress'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.STREET_ADDRESS
|
|
|
|
|
if id in ('O', 'organizationName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.ORGANIZATION_NAME
|
|
|
|
|
if id in ('OU', 'organizationalUnitName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.ORGANIZATIONAL_UNIT_NAME
|
|
|
|
|
if id in ('serialNumber', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.SERIAL_NUMBER
|
|
|
|
|
if id in ('SN', 'surname'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.SURNAME
|
|
|
|
|
if id in ('GN', 'givenName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.GIVEN_NAME
|
|
|
|
|
if id in ('title', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.TITLE
|
|
|
|
|
if id in ('generationQualifier', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.GENERATION_QUALIFIER
|
|
|
|
|
if id in ('x500UniqueIdentifier', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.X500_UNIQUE_IDENTIFIER
|
|
|
|
|
if id in ('dnQualifier', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.DN_QUALIFIER
|
|
|
|
|
if id in ('pseudonym', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.PSEUDONYM
|
|
|
|
|
if id in ('UID', 'userId'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.USER_ID
|
|
|
|
|
if id in ('DC', 'domainComponent'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.DOMAIN_COMPONENT
|
|
|
|
|
if id in ('emailAddress', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.EMAIL_ADDRESS
|
|
|
|
|
if id in ('jurisdictionC', 'jurisdictionCountryName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.JURISDICTION_COUNTRY_NAME
|
|
|
|
|
if id in ('jurisdictionL', 'jurisdictionLocalityName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.JURISDICTION_LOCALITY_NAME
|
|
|
|
|
if id in ('jurisdictionST', 'jurisdictionStateOrProvinceName'):
|
|
|
|
|
return cryptography.x509.oid.NameOID.JURISDICTION_STATE_OR_PROVINCE_NAME
|
|
|
|
|
if id in ('businessCategory', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.BUSINESS_CATEGORY
|
|
|
|
|
if id in ('postalAddress', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.POSTAL_ADDRESS
|
|
|
|
|
if id in ('postalCode', ):
|
|
|
|
|
return cryptography.x509.oid.NameOID.POSTAL_CODE
|
|
|
|
|
raise CertificateSigningRequestError('Unknown subject field identifier "{0}"'.format(id))
|
|
|
|
|
|
|
|
|
|
def _get_san(self, name):
|
|
|
|
|
try:
|
|
|
|
|
if name.startswith('DNS:'):
|
|
|
|
|
return cryptography.x509.DNSName(to_text(name[4:]))
|
|
|
|
|
if name.startswith('IP:'):
|
|
|
|
|
return cryptography.x509.IPAddress(ipaddress.ip_address(to_text(name[3:])))
|
|
|
|
|
if name.startswith('email:'):
|
|
|
|
|
return cryptography.x509.RFC822Name(to_text(name[6:]))
|
|
|
|
|
if name.startswith('URI:'):
|
|
|
|
|
return cryptography.x509.UniformResourceIdentifier(to_text(name[4:]))
|
|
|
|
|
except Exception as e:
|
|
|
|
|
raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}": {1}'.format(name, e))
|
|
|
|
|
if ':' not in name:
|
|
|
|
|
raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}" (forgot "DNS:" prefix?)'.format(name))
|
|
|
|
|
raise CertificateSigningRequestError('Cannot parse Subject Alternative Name "{0}" (potentially unsupported by cryptography backend)'.format(name))
|
|
|
|
|
|
|
|
|
|
def _get_keyusage(self, usage):
|
|
|
|
|
if usage in ('Digital Signature', 'digitalSignature'):
|
|
|
|
|
return 'digital_signature'
|
|
|
|
|
if usage in ('Non Repudiation', 'nonRepudiation'):
|
|
|
|
|
return 'content_commitment'
|
|
|
|
|
if usage in ('Key Encipherment', 'keyEncipherment'):
|
|
|
|
|
return 'key_encipherment'
|
|
|
|
|
if usage in ('Data Encipherment', 'dataEncipherment'):
|
|
|
|
|
return 'data_encipherment'
|
|
|
|
|
if usage in ('Key Agreement', 'keyAgreement'):
|
|
|
|
|
return 'key_agreement'
|
|
|
|
|
if usage in ('Certificate Sign', 'keyCertSign'):
|
|
|
|
|
return 'key_cert_sign'
|
|
|
|
|
if usage in ('CRL Sign', 'cRLSign'):
|
|
|
|
|
return 'crl_sign'
|
|
|
|
|
if usage in ('Encipher Only', 'encipherOnly'):
|
|
|
|
|
return 'encipher_only'
|
|
|
|
|
if usage in ('Decipher Only', 'decipherOnly'):
|
|
|
|
|
return 'decipher_only'
|
|
|
|
|
raise CertificateSigningRequestError('Unknown key usage "{0}"'.format(usage))
|
|
|
|
|
|
|
|
|
|
def _get_ext_keyusage(self, usage):
|
|
|
|
|
if usage in ('serverAuth', 'TLS Web Server Authentication'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.SERVER_AUTH
|
|
|
|
|
if usage in ('clientAuth', 'TLS Web Client Authentication'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.CLIENT_AUTH
|
|
|
|
|
if usage in ('codeSigning', 'Code Signing'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.CODE_SIGNING
|
|
|
|
|
if usage in ('emailProtection', 'E-mail Protection'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.EMAIL_PROTECTION
|
|
|
|
|
if usage in ('timeStamping', 'Time Stamping'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.TIME_STAMPING
|
|
|
|
|
if usage in ('OCSPSigning', 'OCSP Signing'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.OCSP_SIGNING
|
|
|
|
|
if usage in ('anyExtendedKeyUsage', 'Any Extended Key Usage'):
|
|
|
|
|
return cryptography.x509.oid.ExtendedKeyUsageOID.ANY_EXTENDED_KEY_USAGE
|
|
|
|
|
if usage in ('qcStatements', ):
|
|
|
|
|
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.3")
|
|
|
|
|
if usage in ('DVCS', ):
|
|
|
|
|
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.10")
|
|
|
|
|
if usage in ('IPSec User', 'ipsecUser'):
|
|
|
|
|
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.3.7")
|
|
|
|
|
if usage in ('Biometric Info', 'biometricInfo'):
|
|
|
|
|
return cryptography.x509.oid.ObjectIdentifier("1.3.6.1.5.5.7.1.2")
|
|
|
|
|
# FIXME need some more, probably all from https://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-1.3.6.1.5.5.7.3
|
|
|
|
|
raise CertificateSigningRequestError('Unknown extended key usage "{0}"'.format(usage))
|
|
|
|
|
|
|
|
|
|
def _get_basic_constraints(self, constraints):
|
|
|
|
|
ca = False
|
|
|
|
|
path_length = None
|
|
|
|
|
if constraints:
|
|
|
|
|
for constraint in constraints:
|
|
|
|
|
if constraint.startswith('CA:'):
|
|
|
|
|
if constraint == 'CA:TRUE':
|
|
|
|
|
ca = True
|
|
|
|
|
elif constraint == 'CA:FALSE':
|
|
|
|
|
ca = False
|
|
|
|
|
else:
|
|
|
|
|
raise CertificateSigningRequestError('Unknown basic constraint value "{0}" for CA'.format(constraint[3:]))
|
|
|
|
|
elif constraint.startswith('pathlen:'):
|
|
|
|
|
v = constraint[len('pathlen:'):]
|
|
|
|
|
try:
|
|
|
|
|
path_length = int(v)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
raise CertificateSigningRequestError('Cannot parse path length constraint "{0}" ({1})'.format(v, e))
|
|
|
|
|
else:
|
|
|
|
|
raise CertificateSigningRequestError('Unknown basic constraint "{0}"'.format(constraint))
|
|
|
|
|
return ca, path_length
|
|
|
|
|
|
|
|
|
|
def _parse_key_usage(self):
|
|
|
|
|
params = dict(
|
|
|
|
|
digital_signature=False,
|
|
|
|
|
content_commitment=False,
|
|
|
|
|
key_encipherment=False,
|
|
|
|
|
data_encipherment=False,
|
|
|
|
|
key_agreement=False,
|
|
|
|
|
key_cert_sign=False,
|
|
|
|
|
crl_sign=False,
|
|
|
|
|
encipher_only=False,
|
|
|
|
|
decipher_only=False,
|
|
|
|
|
)
|
|
|
|
|
for usage in self.keyUsage:
|
|
|
|
|
params[self._get_keyusage(usage)] = True
|
|
|
|
|
return params
|
|
|
|
|
|
|
|
|
|
def _generate_csr(self):
|
|
|
|
|
csr = cryptography.x509.CertificateSigningRequestBuilder()
|
|
|
|
|
try:
|
|
|
|
|
csr = csr.subject_name(cryptography.x509.Name([
|
|
|
|
|
cryptography.x509.NameAttribute(self._get_name_oid(entry[0]), to_text(entry[1])) for entry in self.subject
|
|
|
|
|
cryptography.x509.NameAttribute(crypto_utils.cryptography_get_name_oid(entry[0]), to_text(entry[1])) for entry in self.subject
|
|
|
|
|
]))
|
|
|
|
|
except ValueError as e:
|
|
|
|
|
raise CertificateSigningRequestError(e)
|
|
|
|
|
|
|
|
|
|
if self.subjectAltName:
|
|
|
|
|
csr = csr.add_extension(cryptography.x509.SubjectAlternativeName([
|
|
|
|
|
self._get_san(name) for name in self.subjectAltName
|
|
|
|
|
crypto_utils.cryptography_get_name(name) for name in self.subjectAltName
|
|
|
|
|
]), critical=self.subjectAltName_critical)
|
|
|
|
|
|
|
|
|
|
if self.keyUsage:
|
|
|
|
|
params = self._parse_key_usage()
|
|
|
|
|
params = crypto_utils.cryptography_parse_key_usage_params(self.keyUsage)
|
|
|
|
|
csr = csr.add_extension(cryptography.x509.KeyUsage(**params), critical=self.keyUsage_critical)
|
|
|
|
|
|
|
|
|
|
if self.extendedKeyUsage:
|
|
|
|
|
usages = [self._get_ext_keyusage(usage) for usage in self.extendedKeyUsage]
|
|
|
|
|
usages = [crypto_utils.cryptography_get_ext_keyusage(usage) for usage in self.extendedKeyUsage]
|
|
|
|
|
csr = csr.add_extension(cryptography.x509.ExtendedKeyUsage(usages), critical=self.extendedKeyUsage_critical)
|
|
|
|
|
|
|
|
|
|
if self.basicConstraints:
|
|
|
|
|
params = {}
|
|
|
|
|
ca, path_length = self._get_basic_constraints(self.basicConstraints)
|
|
|
|
|
ca, path_length = crypto_utils.cryptography_get_basic_constraints(self.basicConstraints)
|
|
|
|
|
csr = csr.add_extension(cryptography.x509.BasicConstraints(ca, path_length), critical=self.basicConstraints_critical)
|
|
|
|
|
|
|
|
|
|
if self.ocspMustStaple:
|
|
|
|
@ -842,7 +690,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
|
|
|
|
|
def _check_csr(self):
|
|
|
|
|
def _check_subject(csr):
|
|
|
|
|
subject = [(self._get_name_oid(entry[0]), entry[1]) for entry in self.subject]
|
|
|
|
|
subject = [(crypto_utils.cryptography_get_name_oid(entry[0]), entry[1]) for entry in self.subject]
|
|
|
|
|
current_subject = [(sub.oid, sub.value) for sub in csr.subject]
|
|
|
|
|
return set(subject) == set(current_subject)
|
|
|
|
|
|
|
|
|
@ -855,7 +703,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
def _check_subjectAltName(extensions):
|
|
|
|
|
current_altnames_ext = _find_extension(extensions, cryptography.x509.SubjectAlternativeName)
|
|
|
|
|
current_altnames = [str(altname) for altname in current_altnames_ext.value] if current_altnames_ext else []
|
|
|
|
|
altnames = [str(self._get_san(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
|
|
|
|
|
altnames = [str(crypto_utils.cryptography_get_name(altname)) for altname in self.subjectAltName] if self.subjectAltName else []
|
|
|
|
|
if set(altnames) != set(current_altnames):
|
|
|
|
|
return False
|
|
|
|
|
if altnames:
|
|
|
|
@ -869,7 +717,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
return current_keyusage_ext is None
|
|
|
|
|
elif current_keyusage_ext is None:
|
|
|
|
|
return False
|
|
|
|
|
params = self._parse_key_usage()
|
|
|
|
|
params = crypto_utils.cryptography_parse_key_usage_params(self.keyUsage)
|
|
|
|
|
for param in params:
|
|
|
|
|
if getattr(current_keyusage_ext.value, '_' + param) != params[param]:
|
|
|
|
|
return False
|
|
|
|
@ -880,7 +728,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
def _check_extenededKeyUsage(extensions):
|
|
|
|
|
current_usages_ext = _find_extension(extensions, cryptography.x509.ExtendedKeyUsage)
|
|
|
|
|
current_usages = [str(usage) for usage in current_usages_ext.value] if current_usages_ext else []
|
|
|
|
|
usages = [str(self._get_ext_keyusage(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else []
|
|
|
|
|
usages = [str(crypto_utils.cryptography_get_ext_keyusage(usage)) for usage in self.extendedKeyUsage] if self.extendedKeyUsage else []
|
|
|
|
|
if set(current_usages) != set(usages):
|
|
|
|
|
return False
|
|
|
|
|
if usages:
|
|
|
|
@ -892,7 +740,7 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
|
|
|
|
|
bc_ext = _find_extension(extensions, cryptography.x509.BasicConstraints)
|
|
|
|
|
current_ca = bc_ext.ca if bc_ext else False
|
|
|
|
|
current_path_length = bc_ext.path_length if bc_ext else None
|
|
|
|
|
ca, path_length = self._get_basic_constraints(self.basicConstraints)
|
|
|
|
|
ca, path_length = crypto_utils.cryptography_get_basic_constraints(self.basicConstraints)
|
|
|
|
|
# Check CA flag
|
|
|
|
|
if ca != current_ca:
|
|
|
|
|
return False
|
|
|
|
|